From 0930cb3021b8078b34cf216e79eb8608d017864f Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Sat, 13 Oct 2018 22:03:02 +1030
Subject: [PATCH] _bfd_clear_contents bounds checking
This PR shows a fuzzed binary triggering a segfault via a bad
relocation in .debug_line. It turns out that unlike normal
relocations applied to a section, the linker applies those with
symbols from discarded sections via _bfd_clear_contents without
checking that the relocation is within the section bounds. The same
thing now happens when reading debug sections since commit
a4cd947aca23, the PR23425 fix.
PR 23770
PR 23425
* reloc.c (_bfd_clear_contents): Replace "location" param with
"buf" and "off". Bounds check "off". Return status.
* cofflink.c (_bfd_coff_generic_relocate_section): Update
_bfd_clear_contents call.
* elf-bfd.h (RELOC_AGAINST_DISCARDED_SECTION): Likewise.
* elf32-arc.c (elf_arc_relocate_section): Likewise.
* elf32-i386.c (elf_i386_relocate_section): Likewise.
* elf32-metag.c (metag_final_link_relocate): Likewise.
* elf32-nds32.c (nds32_elf_get_relocated_section_contents): Likewise.
* elf32-ppc.c (ppc_elf_relocate_section): Likewise.
* elf32-visium.c (visium_elf_relocate_section): Likewise.
* elf64-ppc.c (ppc64_elf_relocate_section): Likewise.
* elf64-x86-64.c *(elf_x86_64_relocate_section): Likewise.
* libbfd-in.h (_bfd_clear_contents): Update prototype.
* libbfd.h: Regenerate.
Upstream-Status: Backport
CVE: CVE-2018-18605
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
bfd/ChangeLog | 20 ++++++++++++++++++++
bfd/cofflink.c | 2 +-
bfd/elf-bfd.h | 2 +-
bfd/elf32-arc.c | 2 +-
bfd/elf32-i386.c | 2 +-
bfd/elf32-metag.c | 2 +-
bfd/elf32-nds32.c | 8 ++++----
bfd/elf32-ppc.c | 2 +-
bfd/elf32-visium.c | 2 +-
bfd/elf64-ppc.c | 2 +-
bfd/elf64-x86-64.c | 2 +-
bfd/libbfd-in.h | 4 ++--
bfd/libbfd.h | 4 ++--
bfd/reloc.c | 19 +++++++++++++------
14 files changed, 50 insertions(+), 23 deletions(-)
--- a/bfd/cofflink.c
+++ b/bfd/cofflink.c
@@ -3080,7 +3080,7 @@ _bfd_coff_generic_relocate_section (bfd
if (sec != NULL && discarded_section (sec))
{
_bfd_clear_contents (howto, input_bfd, input_section,
- contents + (rel->r_vaddr - input_section->vma));
+ contents, rel->r_vaddr - input_section->vma);
continue;
}
--- a/bfd/elf-bfd.h
+++ b/bfd/elf-bfd.h
@@ -2811,7 +2811,7 @@ extern asection _bfd_elf_large_com_secti
{ \
int i_; \
_bfd_clear_contents (howto, input_bfd, input_section, \
- contents + rel[index].r_offset); \
+ contents, rel[index].r_offset); \
\
if (bfd_link_relocatable (info) \
&& (input_section->flags & SEC_DEBUGGING)) \
--- a/bfd/elf32-arc.c
+++ b/bfd/elf32-arc.c
@@ -1552,7 +1552,7 @@ elf_arc_relocate_section (bfd * outp
if (sec != NULL && discarded_section (sec))
{
_bfd_clear_contents (howto, input_bfd, input_section,
- contents + rel->r_offset);
+ contents, rel->r_offset);
rel->r_info = 0;
rel->r_addend = 0;
--- a/bfd/elf32-i386.c
+++ b/bfd/elf32-i386.c
@@ -2197,7 +2197,7 @@ elf_i386_relocate_section (bfd *output_b
if (sec != NULL && discarded_section (sec))
{
_bfd_clear_contents (howto, input_bfd, input_section,
- contents + rel->r_offset);
+ contents, rel->r_offset);
wrel->r_offset = rel->r_offset;
wrel->r_info = 0;
wrel->r_addend = 0;
--- a/bfd/elf32-metag.c
+++ b/bfd/elf32-metag.c
@@ -1396,7 +1396,7 @@ metag_final_link_relocate (reloc_howto_t
rel, relend, howto, contents) \
{ \
_bfd_clear_contents (howto, input_bfd, input_section, \
- contents + rel->r_offset); \
+ contents, rel->r_offset); \
\
if (bfd_link_relocatable (info) \
&& (input_section->flags & SEC_DEBUGGING)) \
--- a/bfd/elf32-nds32.c
+++ b/bfd/elf32-nds32.c
@@ -12582,14 +12582,14 @@ nds32_elf_get_relocated_section_contents
symbol = *(*parent)->sym_ptr_ptr;
if (symbol->section && discarded_section (symbol->section))
{
- bfd_byte *p;
+ bfd_vma off;
static reloc_howto_type none_howto
= HOWTO (0, 0, 0, 0, FALSE, 0, complain_overflow_dont, NULL,
"unused", FALSE, 0, 0, FALSE);
- p = data + (*parent)->address * bfd_octets_per_byte (input_bfd);
- _bfd_clear_contents ((*parent)->howto, input_bfd, input_section,
- p);
+ off = (*parent)->address * bfd_octets_per_byte (input_bfd);
+ _bfd_clear_contents ((*parent)->howto, input_bfd,
+ input_section, data, off);
(*parent)->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr;
(*parent)->addend = 0;
(*parent)->howto = &none_howto;
--- a/bfd/elf32-ppc.c
+++ b/bfd/elf32-ppc.c
@@ -8232,7 +8232,7 @@ ppc_elf_relocate_section (bfd *output_bf
howto = ppc_elf_howto_table[r_type];
_bfd_clear_contents (howto, input_bfd, input_section,
- contents + rel->r_offset);
+ contents, rel->r_offset);
wrel->r_offset = rel->r_offset;
wrel->r_info = 0;
wrel->r_addend = 0;
--- a/bfd/elf32-visium.c
+++ b/bfd/elf32-visium.c
@@ -621,7 +621,7 @@ visium_elf_relocate_section (bfd *output
or sections discarded by a linker script, we just want the
section contents zeroed. Avoid any special processing. */
_bfd_clear_contents (howto, input_bfd, input_section,
- contents + rel->r_offset);
+ contents, rel->r_offset);
rel->r_info = 0;
rel->r_addend = 0;
--- a/bfd/elf64-ppc.c
+++ b/bfd/elf64-ppc.c
@@ -14074,7 +14074,7 @@ ppc64_elf_relocate_section (bfd *output_
{
_bfd_clear_contents (ppc64_elf_howto_table[r_type],
input_bfd, input_section,
- contents + rel->r_offset);
+ contents, rel->r_offset);
wrel->r_offset = rel->r_offset;
wrel->r_info = 0;
wrel->r_addend = 0;
--- a/bfd/elf64-x86-64.c
+++ b/bfd/elf64-x86-64.c
@@ -2490,7 +2490,7 @@ elf_x86_64_relocate_section (bfd *output
if (sec != NULL && discarded_section (sec))
{
_bfd_clear_contents (howto, input_bfd, input_section,
- contents + rel->r_offset);
+ contents, rel->r_offset);
wrel->r_offset = rel->r_offset;
wrel->r_info = 0;
wrel->r_addend = 0;
--- a/bfd/libbfd-in.h
+++ b/bfd/libbfd-in.h
@@ -696,8 +696,8 @@ extern bfd_reloc_status_type _bfd_reloca
(reloc_howto_type *, bfd *, bfd_vma, bfd_byte *) ATTRIBUTE_HIDDEN;
/* Clear a given location using a given howto. */
-extern void _bfd_clear_contents
- (reloc_howto_type *, bfd *, asection *, bfd_byte *) ATTRIBUTE_HIDDEN;
+extern bfd_reloc_status_type _bfd_clear_contents
+ (reloc_howto_type *, bfd *, asection *, bfd_byte *, bfd_vma) ATTRIBUTE_HIDDEN;
/* Link stabs in sections in the first pass. */
--- a/bfd/libbfd.h
+++ b/bfd/libbfd.h
@@ -701,8 +701,8 @@ extern bfd_reloc_status_type _bfd_reloca
(reloc_howto_type *, bfd *, bfd_vma, bfd_byte *) ATTRIBUTE_HIDDEN;
/* Clear a given location using a given howto. */
-extern void _bfd_clear_contents
- (reloc_howto_type *, bfd *, asection *, bfd_byte *) ATTRIBUTE_HIDDEN;
+extern bfd_reloc_status_type _bfd_clear_contents
+ (reloc_howto_type *, bfd *, asection *, bfd_byte *, bfd_vma) ATTRIBUTE_HIDDEN;
/* Link stabs in sections in the first pass. */
--- a/bfd/reloc.c
+++ b/bfd/reloc.c
@@ -1613,16 +1613,22 @@ _bfd_relocate_contents (reloc_howto_type
relocations against discarded symbols, to make ignorable debug or unwind
information more obvious. */
-void
+bfd_reloc_status_type
_bfd_clear_contents (reloc_howto_type *howto,
bfd *input_bfd,
asection *input_section,
- bfd_byte *location)
+ bfd_byte *buf,
+ bfd_vma off)
{
int size;
bfd_vma x = 0;
+ bfd_byte *location;
+
+ if (!bfd_reloc_offset_in_range (howto, input_bfd, input_section, off))
+ return bfd_reloc_outofrange;
/* Get the value we are going to relocate. */
+ location = buf + off;
size = bfd_get_reloc_size (howto);
switch (size)
{
@@ -1681,6 +1687,7 @@ _bfd_clear_contents (reloc_howto_type *h
#endif
break;
}
+ return bfd_reloc_ok;
}
/*
@@ -8268,14 +8275,14 @@ bfd_generic_get_relocated_section_conten
if (symbol->section && discarded_section (symbol->section))
{
- bfd_byte *p;
+ bfd_vma off;
static reloc_howto_type none_howto
= HOWTO (0, 0, 0, 0, FALSE, 0, complain_overflow_dont, NULL,
"unused", FALSE, 0, 0, FALSE);
- p = data + (*parent)->address * bfd_octets_per_byte (input_bfd);
- _bfd_clear_contents ((*parent)->howto, input_bfd, input_section,
- p);
+ off = (*parent)->address * bfd_octets_per_byte (input_bfd);
+ _bfd_clear_contents ((*parent)->howto, input_bfd,
+ input_section, data, off);
(*parent)->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr;
(*parent)->addend = 0;
(*parent)->howto = &none_howto;